+---------------------------------------------------------------------+
| LinuxSecurity.com Weekly Newsletter |
| November 26th, 2004 Volume 5, Number 47a |
+---------------------------------------------------------------------+
Editors: Dave Wreski Benjamin D. Thomas
dave@xxxxxxxxxxxxxxxxx ben@xxxxxxxxxxxxxxxxx
Linux Advisory Watch is a comprehensive newsletter that outlines the
security vulnerabilities that have been announced throughout the week.
It includes pointers to updated packages and descriptions of each
vulnerability.
This week, advisories were released for bugzilla, samba, bnc, sudo, Cyrus,
yardradius, AbiWord, unarj, pdftohtml, ProZilla, phpBB, TWiki, XFree86,
libxpm4, a2ps, zip, kdebase, and kdelibs. The distributors include
Conectiva, Debian, Fedora, Gentoo, Mandrake, Openwall, and Trustix.
----- LinuxSecurity.com Version 2 -----
Get ready ... on December 1st the new LinuxSecurity.com site will be
revealed. The same great content you've come to expect with a whole new
look and great new features. A sneak preview is coming soon!
http://ads.linuxsecurity.com/cgi-bin/ads.pl?banner=lsv2flashdemo
------
Security Basics
In the ever-changing world of global data communications, inexpensive
Internet connections, and fast-paced software development, security is
becoming more and more of an issue. Security is now a basic requirement
because global computing is inherently insecure. As your data goes from
point A to point B on the Internet, for example, it may pass through
several other points along the way, giving other users the opportunity to
intercept, and even alter, your data. Even other users on your system may
maliciously transform your data into something you did not intend.
Unauthorized access to your system may be obtained by intruders, also
known as ``crackers'', who then use advanced knowledge to impersonate you,
steal information from you, or even deny you access to your own resources.
If you're still wondering what the difference is between a ``Hacker'' and
a ``Cracker'', see Eric Raymond's document, ``How to Become A Hacker'',
available at:
http://www.catb.org/~esr/faqs/hacker-howto.html
How Vulnerable Are We?
* While it is difficult to determine just how vulnerable a particular
system is, there are several indications we can use:
* The Computer Emergency Response Team consistently reports an
increase in computer vulnerabilities and exploits.
* TCP and UDP, the protocols that comprise the Internet, were not
written with security as their first priority when it was created
more than 30 years ago.
* A version of software on one host has the same vulnerabilities as
the same version of software on another host. Using this information,
an intruder can exploit multiple systems using the same attack method.
* Many administrators don't even take simple security measures necessary
to protect their site, or don't understand the ramifications of
implementing some se
Excerpt from the LinuxSecurity Administrator's Guide:
http://www.linuxsecurity.com/docs/SecurityAdminGuide/SecurityAdminGuide.html
Written by: Dave Wreski (dave@xxxxxxxxxxxxxxxxxxx)
-----
Mass deploying Osiris
Osiris is a centralized file-integrity program that uses a client/server
architecture to check for changes on a system. A central server maintains
the file-integrity database and configuration for a client and at a
specified time, sends the configuration file over to the client, runs a
scan and sends the results back to the server to compare any changes.
Those changes are then sent via email, if configured, to a system admin or
group of people. The communication is all done over an encrypted
communication channel.
http://www.linuxsecurity.com/feature_stories/feature_story-175.html
--> Take advantage of the LinuxSecurity.com Quick Reference Card!
--> http://www.linuxsecurity.com/docs/QuickRefCard.pdf
+---------------------------------+
| Distribution: Conectiva | ----------------------------//
+---------------------------------+
11/23/2004 - shadow-utils authentication bypass vulnerability fix
Martin Schulze reported a vulnerability[2] in the passwd_check()
function in "libmisc/pwdcheck.c" which is used by chfn and chsh
and thus may allow a local attacker to use them to change the
standard shell of other users or modify their GECOS information
(full name, phone number...).
http://www.linuxsecurity.com/advisories/conectiva_advisory-5223.html
11/23/2004 - bugzilla
remote vulnerability fix
Bugzilla versions prior to 2.16.7 have a vulnerability[3] which
allows a remote user to remove keywords from a ticket even without
the necessary permissions. Such an action, however, would trigger
the usual e-mail detailing the changes, making it easy to discover
what happened and what was changed.
http://www.linuxsecurity.com/advisories/conectiva_advisory-5224.html
11/25/2004 - samba
denial of service vulnerability fix
Karol Wiesek found a vulnerability[2] in the input validation
routines in Samba 3.x used to match filename strings containing
wildcard characters that may allow a remote attacker to consume
abnormal amounts of CPU cycles.
http://www.linuxsecurity.com/advisories/conectiva_advisory-5234.html
+---------------------------------+
| Distribution: Debian | ----------------------------//
+---------------------------------+
11/24/2004 - bnc
buffer overflow
Leon Juranic discovered that BNC, an IRC session bouncing proxy,
does not always protect buffers from being overwritten. This
could exploited by a malicious IRC server to overflow a buffer of
limited size and execute arbitrary code on the client host.
http://www.linuxsecurity.com/advisories/debian_advisory-5227.html
11/24/2004 - sudo
privilege escalation fix
Liam Helmer noticed that sudo, a program that provides limited
super user privileges to specific users, does not clean the
environment sufficiently. Bash functions and the CDPATH variable
are still passed through to the program running as privileged
user, leaving possibilities to overload system routines.
http://www.linuxsecurity.com/advisories/debian_advisory-5228.html
11/24/2004 - sudo
removes debug output
Liam Helmer noticed that sudo, a program that provides limited
super user privileges to specific users, does not clean the
environment sufficiently. Bash functions and the CDPATH variable
are still passed through to the program running as privileged
user, leaving possibilities to overload system routines.
http://www.linuxsecurity.com/advisories/debian_advisory-5229.html
11/25/2004 - Cyrus
IMAP arbitrary code execution fix
Stefan Esser discovered several security related problems in the
Cyrus IMAP daemon. Due to a bug in the command parser it is
possible to access memory beyond the allocated buffer in two
places which could lead to the execution of arbitrary code.
http://www.linuxsecurity.com/advisories/debian_advisory-5240.html
11/25/2004 - yardradius
arbitrary code execution fix
Max Vozeler noticed that yardradius, the YARD radius
authentication and accounting server, contained a stack overflow
similar to the one from radiusd which is referenced as
CAN-2001-0534. This could lead to the execution of arbitrary code
as root.
http://www.linuxsecurity.com/advisories/debian_advisory-5241.html
11/25/2004 - tetex-bin arbitrary code execution
arbitrary code execution fix
Chris Evans discovered several integer overflows in xpdf, that are
also present in tetex-bin, binary files for the teTeX
distribution, which can be exploited remotely by a specially
crafted PDF document and lead to the execution of arbitrary code.
http://www.linuxsecurity.com/advisories/debian_advisory-5242.html
+---------------------------------+
| Distribution: Fedora | ----------------------------//
+---------------------------------+
11/19/2004 - system-config-users-1.2.28-0.fc3.1 update
arbitrary code execution fix
check for running processes of a user about to be deleted
(#132902)
http://www.linuxsecurity.com/advisories/fedora_advisory-5205.html
11/19/2004 - system-config-users-1.2.28-0.fc2.1 update
arbitrary code execution fix
check for running processes of a user about to be deleted
(#132902)
http://www.linuxsecurity.com/advisories/fedora_advisory-5206.html
11/19/2004 - rhgb-0.16.1-1.FC3 update
arbitrary code execution fix
This should fix the problem where rhgb blocks the boot process
when X fails to initialize correctly, as well as the one
preventing vncserver to start when rhgb is used.
http://www.linuxsecurity.com/advisories/fedora_advisory-5207.html
11/22/2004 - redhat-menus-3.7-2.2.fc3 update
arbitrary code execution fix
This update adds additional file types to the list of file types
associated with the OpenOffice.org application suite, allowing
users to open more documents with OpenOffice.org through Nautilus
and Evolution.
http://www.linuxsecurity.com/advisories/fedora_advisory-5213.html
11/22/2004 - kernel-2.6.9-1.6_FC2 update
arbitrary code execution fix
This update brings a rebase to 2.6.9, including various security
fixes incorporated into the upstream kernel, and also includes
Alan Cox's -ac patchset, which adds additional security fixes.
http://www.linuxsecurity.com/advisories/fedora_advisory-5214.html
11/22/2004 - kernel-2.6.9-1.681_FC3 update
arbitrary code execution fix
This update brings an updated -ac patch which which adds several
security fixes, and various other fixes that have occured since
the release of Fedora Core 3.
http://www.linuxsecurity.com/advisories/fedora_advisory-5215.html
11/22/2004 - redhat-menus-3.7.1-1.fc3 update
arbitrary code execution fix
This update fixes the missing evolution icon bug (#rh138282).
http://www.linuxsecurity.com/advisories/fedora_advisory-5216.html
11/23/2004 - system-config-display-1.0.24-1 update
arbitrary code execution fix
This fixes tracebacks experienced by some users with dual head
support
http://www.linuxsecurity.com/advisories/fedora_advisory-5217.html
11/24/2004 - system-config-samba-1.2.22-0.fc3.1 update
arbitrary code execution fix
add missing options (#137756)
http://www.linuxsecurity.com/advisories/fedora_advisory-5230.html
11/24/2004 - system-config-samba-1.2.22-0.fc2.1 update
arbitrary code execution fix
add missing options (#137756), don't raise exception when writing
/etc/samba/smb.conf (#135946), updated translations
http://www.linuxsecurity.com/advisories/fedora_advisory-5231.html
11/25/2004 - AbiWord
bug fixes
Fixes for tempnam usages and startup geometry crashes
http://www.linuxsecurity.com/advisories/fedora_advisory-5232.html
+---------------------------------+
| Distribution: Gentoo | ----------------------------//
+---------------------------------+
11/19/2004 - X.org, Xfree vulnerabilities
bug fixes
libXpm contains several vulnerabilities that could lead to a
Denial of Service and arbitrary code execution.
http://www.linuxsecurity.com/advisories/gentoo_advisory-5209.html
11/19/2004 - unarj
Long filenames buffer overflow and a path traversal vulnerability
unarj contains a buffer overflow and a directory traversal
vulnerability. This could lead to overwriting of arbitrary files
or the execution of arbitrary code.
http://www.linuxsecurity.com/advisories/gentoo_advisory-5210.html
11/23/2004 - pdftohtml
Vulnerabilities in included Xpdf
pdftohtml includes vulnerable Xpdf code to handle PDF files,
making it vulnerable to execution of arbitrary code upon
converting a malicious PDF file.
http://www.linuxsecurity.com/advisories/gentoo_advisory-5219.html
11/23/2004 - ProZilla
Multiple vulnerabilities
ProZilla contains several buffer overflow vulnerabilities that can
be exploited by a malicious server to execute arbitrary code with
the rights of the user running ProZilla.
http://www.linuxsecurity.com/advisories/gentoo_advisory-5220.html
11/23/2004 - phpBB
Remote command execution
phpBB contains a vulnerability which allows a remote attacker to
execute arbitrary commands with the rights of the web server user.
http://www.linuxsecurity.com/advisories/gentoo_advisory-5221.html
11/24/2004 - TWiki
Arbitrary command execution
A bug in the TWiki search function allows an attacker to execute
arbitrary commands with the permissions of the user running TWiki.
http://www.linuxsecurity.com/advisories/gentoo_advisory-5222.html
11/25/2004 - Cyrus
IMAP Multiple remote vulnerabilities
The Cyrus IMAP Server contains multiple vulnerabilities which
could lead to remote execution of arbitrary code.
http://www.linuxsecurity.com/advisories/gentoo_advisory-5233.html
+---------------------------------+
| Distribution: Mandrake | ----------------------------//
+---------------------------------+
11/23/2004 - XFree86
vulnerabilities fix
A source code review of the XPM library, done by Thomas Biege of
the SuSE Security-Team revealed several different kinds of bugs.
These bugs include integer overflows, out-of-bounds memory access,
shell command execution, path traversal, and endless loops.
http://www.linuxsecurity.com/advisories/mandrake_advisory-5225.html
11/23/2004 - libxpm4
vulnerabilities fix
A source code review of the XPM library, done by Thomas Biege of
the SuSE Security-Team revealed several different kinds of bugs.
These bugs include integer overflows, out-of-bounds memory access,
shell command execution, path traversal, and endless loops.
http://www.linuxsecurity.com/advisories/mandrake_advisory-5226.html
11/25/2004 - Cyrus
IMAP multiple vulnerabilities
A number of vulnerabilities in the Cyrus-IMAP server were found by
Stefan Esser. Due to insufficient checking within the argument
parser of the 'partial' and 'fetch' commands, a buffer overflow
could be exploited to execute arbitrary attacker-supplied code.
http://www.linuxsecurity.com/advisories/mandrake_advisory-5235.html
11/25/2004 - a2ps
vulnerability fix
The GNU a2ps utility fails to properly sanitize filenames, which
can be abused by a malicious user to execute arbitray commands
with the privileges of the user running the vulnerable
application.
http://www.linuxsecurity.com/advisories/mandrake_advisory-5236.html
11/25/2004 - zip
vulnerability fix
A vulnerability in zip was discovered where zip would not check
the resulting path length when doing recursive folder compression,
which could allow a malicious person to convince a user to create
an archive containing a specially-crafted path name.
http://www.linuxsecurity.com/advisories/mandrake_advisory-5237.html
11/26/2004 - kdebase
various bugs fixes
A number of bugs in kdebase are fixed with this update.
http://www.linuxsecurity.com/advisories/mandrake_advisory-5238.html
11/26/2004 - kdelibs
various bugs fix
A number of bugs in kdelibs are fixed with this update.
http://www.linuxsecurity.com/advisories/mandrake_advisory-5239.html
+---------------------------------+
| Distribution: Openwall | ----------------------------//
+---------------------------------+
11/23/2004 - 2.4.28-ow1 security-related bugs
various bugs fix
Linux 2.4.28, and thus 2.4.28-ow1, fixes a number of
security-related bugs, including the ELF loader vulnerabilities
discovered by Paul Starzetz (confirmed: ability for users to read
+s-r binaries; potential: local root), a race condition with reads
from Unix domain sockets (potential local root), smbfs
http://www.linuxsecurity.com/advisories/openwall_advisory-5218.html
+---------------------------------+
| Distribution: Trustix | ----------------------------//
+---------------------------------+
11/22/2004 - apache, kernel, sudo Multiple vulnerabilities
various bugs fix
An issue was discovered where the field length limit was not
enforced for certain malicious requests. This could lead to a
remote denial of service attack.
http://www.linuxsecurity.com/advisories/trustix_advisory-5211.html
11/22/2004 - amavisd-new, anaconda, courier-imap, ppp, setup,
spamassassin, swup, tftp-hpa, tsl-utils Package bugfixes
various bugs fix
amavisd-new: Add tmpwatch of the virusmails directory to keep it
from growing infinitely. Anaconda: Increase ramdisk-size as needed
by netboot floppy. Courier-imap: Now use $HOME/Maildir.
http://www.linuxsecurity.com/advisories/trustix_advisory-5212.html
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
